Is there a way to supress Elixir warnings from an Erlang module in a mix project?

wkirschbaum · June 17, 2024, 7:26am

When upgrading to OTP 27 the following warning pops up:

    warning: :public_key.encrypt_public/3 is deprecated. Do not use
    │
  7 │     :public_key.encrypt_public(message, public_key,
    │                 ~

and checking on the erlang channel on slack Bram Verburg said that the following

“TL;DR: the OTP team says they have no plans to remove the functions, so if you have a need that is not affected by the Marvin vulnerability or a way to ensure the underlying libcrypto is not vulnerable you can continue to use the deprecated functions”

and gave me the following link: Security Working Group Minutes - #6 by voltone - EEF Security - Erlang Programming Language Forum - Erlang Forums.

In our case, our code is not vulnerable, so this warning is causing unnecessary noise. To avoid the issues from the The Broken Window Theory, it would be good to have a way to suppress this warning and keep our output clean.

There seems to be a difference between what is deprecated in Erlang world and the Elixir world, so this might not be an isolated case. How do people deal with this in their projects?

josevalim · June 17, 2024, 7:36am

You can “hide” it for now:

defp public_key_module, do: :public_key

And then:

public_key_module().encrypt_public(message, ...)

But the type system may catch it in a year or two. You can ping me again then! We have historically not allowed warnings to be disabled but, except ones with false positives, but we may revisit this decision.

wkirschbaum · June 17, 2024, 9:01am

Thanks @josevalim, will certainly ping you when this workaround expires.